---
layout: docs
page_title: Vault Secrets Operator Installation
description: >-
  The Vault Secrets Operator can be installed using Helm.
---

# Installing and upgrading the Vault Secrets Operator

## Prerequisites

- A Kubernetes cluster running 1.23+
- Helm 3.7+
- [Optional] Kustomize 4.5.7+

## Installation using Helm

[Install Helm](https://helm.sh/docs/intro/install) before beginning.

The [Vault Secrets Operator Helm chart](/vault/docs/platform/k8s/vso/helm) is the recommended way of
installing and configuring the Vault Secrets Operator.

To install a new instance of the Vault Secrets Operator, first add the
HashiCorp Helm repository and ensure you have access to the chart:

```shell-session
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
```

```shell-session
$ helm search repo hashicorp/vault-secrets-operator
NAME           	CHART VERSION	APP VERSION	DESCRIPTION
hashicorp/vault-secrets-operator	0.7.1       	0.7.1     	Official HashiCorp Vault Secrets Operator Chart
```

Then install the Operator:

```shell-session
$ helm install --version 0.7.1 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
```

## Upgrading using Helm

You can upgrade an existing installation with the `helm upgrade` command.
Please always run Helm with the `--dry-run` option before any install or upgrade to verify
changes.

Update the `hashicorp` Helm repo:
```shell-session
$ helm repo update hashicorp
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈
```

<Note title="Helm does not automatically update CRDs">
  You must update all CRDs manually before upgrading VSO.
  Refer to <a href="#updating-crds">Updating CRDs</a>.
</Note>

To upgrade your VSO release, replace `<TARGET_VSO_VERSION>` with the VSO version you are upgrading to:
```shell-session
$ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -
$ helm upgrade --version <TARGET_VSO_VERSION> --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
```

For example, if you are upgrading to VSO 0.7.1:
```shell-session
$ helm show crds --version 0.7.1 hashicorp/vault-secrets-operator | kubectl apply -f -
$ helm upgrade --version 0.7.1 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator
```

## Updating CRDs when using Helm

You must update the CRDs for VSO manually **before** you upgrade the
 operator when the operator is managed by Helm.

**Any `kubectl` warnings related to `last-applied-configuration` should be safe to ignore.**

To update the VSO CRDs, replace `<TARGET_VSO_VERSION>` with the VSO version you are upgrading to:
```shell-session
$ helm show crds --version <TARGET_VSO_VERSION> hashicorp/vault-secrets-operator | kubectl apply -f -
```

For example, if you are upgrading to VSO 0.7.1:
```shell-session
$ helm show crds --version 0.7.1 hashicorp/vault-secrets-operator | kubectl apply -f -

customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created
Warning: resource customresourcedefinitions/vaultauths.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultauths.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultconnections.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultconnections.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultdynamicsecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultdynamicsecrets.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultpkisecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultpkisecrets.secrets.hashicorp.com configured
Warning: resource customresourcedefinitions/vaultstaticsecrets.secrets.hashicorp.com is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/vaultstaticsecrets.secrets.hashicorp.com configured
```

## Chart values

Refer to the [VSO Helm chart](/vault/docs/platform/k8s/vso/helm)
 overview for a full list of supported chart values.

## Installation using Kustomize

You can install and update your installation using `kustomize` which allows you to extend the `config/` path of the VSO repository using Kustomize primitives.

To install using Kustomize, download and untar/unzip the latest release from the [Releases Page](https://github.com/hashicorp/vault-secrets-operator/releases).
```shell-session
$ wget -q https://github.com/hashicorp/vault-secrets-operator/archive/refs/tags/v0.7.1.tar.gz
$ tar -zxf v0.7.1.tar.gz
$ cd vault-secrets-operator-0.7.1/
```

Next install using `kustomize build`:
```shell-session
$ kustomize build config/default | kubectl apply -f -
namespace/vault-secrets-operator-system created
customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultauths.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultconnections.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultdynamicsecrets.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultpkisecrets.secrets.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/vaultstaticsecrets.secrets.hashicorp.com created
serviceaccount/vault-secrets-operator-controller-manager created
role.rbac.authorization.k8s.io/vault-secrets-operator-leader-election-role created
clusterrole.rbac.authorization.k8s.io/vault-secrets-operator-manager-role created
clusterrole.rbac.authorization.k8s.io/vault-secrets-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/vault-secrets-operator-proxy-role created
rolebinding.rbac.authorization.k8s.io/vault-secrets-operator-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/vault-secrets-operator-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/vault-secrets-operator-proxy-rolebinding created
configmap/vault-secrets-operator-manager-config created
service/vault-secrets-operator-controller-manager-metrics-service created
deployment.apps/vault-secrets-operator-controller-manager created
```

Confirm the operator has been installed by examining the pods:
```shell-session
$ kubectl get pods -n vault-secrets-operator-system
NAMESPACE                       NAME                                                         READY   STATUS    RESTARTS   AGE
vault-secrets-operator-system   vault-secrets-operator-controller-manager-56754d5496-cq69s   2/2     Running   0          1m17s
```

<Note title="Kustomize does not support all features of the Helm chart">

  Notably it will not deploy default VaultAuthMethod, VaultConnection or Transit related resources.
  Kustomize also does not support pre-delete hooks that the Helm chart uses to cleanup resources
  and remove finalizers on the uninstall path. Please see [`config/samples`](https://github.com/hashicorp/vault-secrets-operator/tree/main/config/samples)
  or `config/samples` in the downloaded release artifacts for additional resources.

</Note>

## Upgrade using Kustomize

Upgrading using Kustomize is similar to installation: simply download the new release from github and follow
the same steps as outlined in [Installation using Kustomize](#installation-using-kustomize).
No additional steps are required to update the CRDs.
